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Two-Factor Identification (Token + Fingerprint) 



Token 



Legend 

P possession factor value 
K knowledge factor value 
B biometrics factor value 
PKEK profile key encryption key 




Access Granted 



10/502478 



WO 03/065169 PCT7US03/02931 

5/22 



Fig. 5 



Two-Factor Identification (Token + Fingerprint w/Encrypted Template) 
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Category A 



Access Restricting Credentials 

Category B 





1. During object encryption, member 
chooses which credentials to apply, no 
more than one credential per category. 

2. Access Is granted to decrypt only If 
read permission (knowledge of private 
key) Is available for all credentials that 
were used to encrypt 



* One credential (3) from 
Category A. 

One credential (14) from 
Category B. 



Read permission for BOTH 
credentials (3 and 14) are 
needed to be able to decrypt. 
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Access Broadening Credentials 
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1 . During object encryption, member 
chooses which credentials to apply. 
More than one credential can be 
selected within a category if that 
category Is a multiple credential 
selection category. 

2. Access is granted to decrypt if read 
permission (knowledge of private key) 
Is available for any one credential that 
was used to encrypt In a multiple 
credential selection category. 



* One credential (T op Secret) 
from security category. 



Two credentials (Canada and 
US) chosen from Category B. 



Read permission for Top Secret 
and either Canada or US are 
needed to be able to decrypt. 
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Threshold Method for Multiple Credential Selection Category 

4. Generate key, K, and coefficient, a, 
at random. K is used In REK 
computation. . 



-ToREK calculation - 
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1. Credential public key, y, and 
ephemeral private key, r, derive 
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3. Hash concatenated value to 
create share encryption key, 
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-To header- 



5. Using a (2, s+1) threshold 
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coefficient, a, and credential 
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Password Authentication to a Hardware Token 
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Password and Biometric Authentication to a Hardware Token 
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Password with Biometric Authentication within a Hardware Token 



Token 




Establish the encrypted data transfer 
system. Using the key that Is then 
transferred, unlock Private Data group 1 



Fall 





' Token unlock key 



Using Information In 
Private Data group 1, 
the Token unlock key, 

and the preceding 
match, unlock Private 
Data group 2 





Legend 


(R) 


Read Only 


(W) 


Write Only 


HMAC 


keyed Hash using SHA-256 


Hash 


SHA-256 




Data transferred over the 




encrypted channel 



Fig. 18 



10/5024 



WO 03/065169 PCT/US03/02931 

19/22 



..^?*?S?-L?.!l?!nl)?il?D.tC? m c,ient to Joken with Message Numbering 

Token PnsvSder 



Session Key 



Decrypt \ 



M||MsgNs T 
(Concal^t— . 



Session 
Rsndom 



M II Msg No|| 
( Fa3 )«No- Match - 



HMAC of Token 
ID(W) 



-HMAC— 



-No- 



Msg No 



, ,7 Process \ 

*\Massagey 



f Mil Msg No 



I 



17 

( Ccncatj* 



Number 



Session 
Random 



Session Key 



Encrypt ) ( HMAC^« — 

1 I 

Concat HMAC 1 



HMAC Of Token 
ID 



Conchy*- 1 





Legend 


(R> 


Readonly 


<W) 


Write Only 


HMAC 


keyed Hash (SHA-256) 


M 


Message 


Hash 


SHA-255 



Fig. 19 



WO 03/065169 



10/502478 

PCT/US03/02931 



20/22 



Message Transmission from Client to Token with no Message Number 

Token . * PrwWer 



Session Key 



(.Concat y*— "j 



Session 
Random 



r 

M f| Random 
.X 



(HMAC^HMACofTcken 



{ Fa3 }«No- Match HMAC 

i 

^' Process j 



Client Message 



Session 
Random 



j — M — ' — M — | 

. ^ r — 

Session Key Encrypt ) ( HMAC }«— HMAC of 

I 

^Concat^<-HMAC — 



Token 





Legend 


(R) 


Readonly 


(W) 


Write Only 


HMAC 


keyed Hash (SHA256) 


M 


Message 


Hash 


SHA258 



Fig. 20 



WO 03/065169 



21/22 



10/502478 



PCT/US03/02931 



Key Derivation Function 



Token 






Legend 


(R) 


Read Only 


(W) 


Write Only 


HMAC 


keyed Hash using SHA-256 


Hash 


SHA-256 




Data transferred over the 




encrypted channel 



Fig. 21 



WO 03/065169 



22/22 



10/502478 

PCT/US03/02931 



PBE 



PKCS #5 



PBE \ 
PBKDF2 

using / 
SHA256 y 


r-Key — 


J HMAC- \ 
H SHA256 ) 


\ 


f 








r 


PKCS #5 key 




HMAC output 



Fig. 22 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 

□ FADED TEXT OR DRAWING 



□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 




BLURRED OR ILLEGIBLE TEXT OR DRAWING 



